ISC2 CAP Exam Prep 2024 with 100%
correct answers
In FIPS 199, a loss of Confidentiality is defined as - correct answer ✔✔The unauthorized disclosure of
information
In FIPS 199, a loss of Integrity is defined as - correct answer ✔✔The unauthorized modification or
destruction of information
In FIPS 199, a loss of Availability is defined as - correct answer ✔✔The disruption of access to or use of
information
NIST Special Publication 800-53 r4 - correct answer ✔✔FIPS 200 Mandated - A catalog of security
controls. Defines three baselines (L, M, H). Initial version published in 2005.
None - correct answer ✔✔This FIPS document can be waived
Inherited - correct answer ✔✔An organizations information systems are a mix of Windows and UNIX
systems located in a single computer room. Access to the computer room is restricted by the door locks
that require proximity cards and personal identification numbers (PINS). Only a small percentage of the
organizations employees have access to the computer room. The computer room access restriction is an
example of what type of security control relative to the hardware in the computer room?
Supplement the common controls with system-specific or hybrid controls to achieve the required
protection for the system - correct answer ✔✔An information system is currently in the initiation phase
of the SDLC and has been categorized high impact. The information system owner wants to inherit
common controls provided by another organization information system that is categorized moderate
impact.. How does the information system owner ensure that the common controls will provide
adequate protection for the information system?
Active involvement by authorizing officials in the ongoing management of information system-related
security risks. - correct answer ✔✔An effective security control monitoring strategy for an information
system includes...
,All Steps - correct answer ✔✔In which steps is the security plan updated (Categorize, Implement, or
Monitor)
An enterprise security authorization program is considered successful when - correct answer ✔✔A)
provides an effective means of meeting requirements
B) permits efficient oversight of its activities
C) provides assurance that controls are implemented at the system level
Hybrid - correct answer ✔✔A large organization has a documented information system policy that has
been reviewed and approved by senior officials and is readily available to all organizational staff. This
information security policy explicitly addresses each of the 17 control families in NIST SP 800-53,
Revision.3. Some system owners also established procedures for the technical class of security controls
on certain of their systems. In their respective system security plans, control AC-1 Access Control Policy
and Procedures (a technical class security control) must be identified as what type of control?
NIST Special Publication 800-37, Revision 1 - correct answer ✔✔This manual defines the RIsk
Management Framework
NIST Special Publication 800-30 - correct answer ✔✔This manual defines how to conduct a risk
assessment
FISMA - correct answer ✔✔Federal Information Security Management Act
Federal Information Security Management Act (FISMA) - correct answer ✔✔This raised visibility through
government on certification, accreditation and system authorizations and follows NIST SP 800-37
SDLC phases within the RMF in order - correct answer ✔✔1) Initiation
2) Development/Acquisition
3) Implementation
4) Operation/Maintenance
5) Disposal
,Information System Owner (ISO) - correct answer ✔✔This organizational official is responsible for the
procurement, development, integration, modification, operation, maintenance, and disposal of an
information system.
FIPS 200 - correct answer ✔✔This document specifies security requirements for federal information and
information systems in 17 security-related areas that represent a broad-based, balanced information
security program. Specifies that a minimum baseline of security controls, as defined in NIST SP 800-53,
will be implemented. Specifies that the baselines are to be appropriately tailored.
Leveraged - correct answer ✔✔Which authorization approach (leveraged, single, and joint or site
specific) considers time elapsed since the authorization results were produced, the environment of
operation, the criticality/sensitivity of the information, and the risk tolerance of other organizations?
Authorizing Official (AO) - correct answer ✔✔When an authorization to operation (ATO) is issued, this
role authoritatively accepts residual risk on behalf of the organization.
Information Technology Systems - correct answer ✔✔The objective of system authorization is to ensure
the security of...
Will NEVER have a primary role in any RMF step tasks - correct answer ✔✔A) Information system
security officer (ISSO)
B) Information system security engineer (ISSE)
Authorizing Official (AO) - correct answer ✔✔Who does the Security Control Assessor (SCA) report
directly to?
Independence and Technical Confidence - correct answer ✔✔The two basic traits a Security Control
Assessor (SCA) must have
Successful information technology develops separate security perimeters covering individual critical
resources according to the system boundaries rather than one perimeter to cover all critical resources.
This works because... - correct answer ✔✔A) Systems are distance
B) Their limits can be defined in practical terms
, C) Security is comparatively easy to implement at system level
Authorizing Official (AO) - correct answer ✔✔The Information System Owner (ISO) is appointed by this
person
Chief Information Officer (CIO) - correct answer ✔✔The Common Control Provider (CCP) is appointed by
this person
Certification - correct answer ✔✔The process to assess effectiveness of security controls
NIST Special Publication 800-53, Revision 4 - correct answer ✔✔This publication introduces the new
family Program Management as well as eight additional security and privacy control families to the FIPS
200 17 security control families.
The three Risk Management core components - correct answer ✔✔A) Risk Assessment (understand
what can go wrong)
B) Risk Mitigation (identify how risk is managed)
C) Security Control (must be planned and budgeted)
Accreditation - correct answer ✔✔Management decision (based on the assessment) to permit an
information system to operate at its current security posture.
The documents required for the accreditation package are... - correct answer ✔✔A) Security plan
B) Security assessment report
C) Plan of action and milestones
CPIC - correct answer ✔✔Capital Planning and Investment Controls
Capital Planning and Investments Controls includes the following... - correct answer ✔✔A) How systems
are funded
B) Supplemental funding for new or improved security control implementation
correct answers
In FIPS 199, a loss of Confidentiality is defined as - correct answer ✔✔The unauthorized disclosure of
information
In FIPS 199, a loss of Integrity is defined as - correct answer ✔✔The unauthorized modification or
destruction of information
In FIPS 199, a loss of Availability is defined as - correct answer ✔✔The disruption of access to or use of
information
NIST Special Publication 800-53 r4 - correct answer ✔✔FIPS 200 Mandated - A catalog of security
controls. Defines three baselines (L, M, H). Initial version published in 2005.
None - correct answer ✔✔This FIPS document can be waived
Inherited - correct answer ✔✔An organizations information systems are a mix of Windows and UNIX
systems located in a single computer room. Access to the computer room is restricted by the door locks
that require proximity cards and personal identification numbers (PINS). Only a small percentage of the
organizations employees have access to the computer room. The computer room access restriction is an
example of what type of security control relative to the hardware in the computer room?
Supplement the common controls with system-specific or hybrid controls to achieve the required
protection for the system - correct answer ✔✔An information system is currently in the initiation phase
of the SDLC and has been categorized high impact. The information system owner wants to inherit
common controls provided by another organization information system that is categorized moderate
impact.. How does the information system owner ensure that the common controls will provide
adequate protection for the information system?
Active involvement by authorizing officials in the ongoing management of information system-related
security risks. - correct answer ✔✔An effective security control monitoring strategy for an information
system includes...
,All Steps - correct answer ✔✔In which steps is the security plan updated (Categorize, Implement, or
Monitor)
An enterprise security authorization program is considered successful when - correct answer ✔✔A)
provides an effective means of meeting requirements
B) permits efficient oversight of its activities
C) provides assurance that controls are implemented at the system level
Hybrid - correct answer ✔✔A large organization has a documented information system policy that has
been reviewed and approved by senior officials and is readily available to all organizational staff. This
information security policy explicitly addresses each of the 17 control families in NIST SP 800-53,
Revision.3. Some system owners also established procedures for the technical class of security controls
on certain of their systems. In their respective system security plans, control AC-1 Access Control Policy
and Procedures (a technical class security control) must be identified as what type of control?
NIST Special Publication 800-37, Revision 1 - correct answer ✔✔This manual defines the RIsk
Management Framework
NIST Special Publication 800-30 - correct answer ✔✔This manual defines how to conduct a risk
assessment
FISMA - correct answer ✔✔Federal Information Security Management Act
Federal Information Security Management Act (FISMA) - correct answer ✔✔This raised visibility through
government on certification, accreditation and system authorizations and follows NIST SP 800-37
SDLC phases within the RMF in order - correct answer ✔✔1) Initiation
2) Development/Acquisition
3) Implementation
4) Operation/Maintenance
5) Disposal
,Information System Owner (ISO) - correct answer ✔✔This organizational official is responsible for the
procurement, development, integration, modification, operation, maintenance, and disposal of an
information system.
FIPS 200 - correct answer ✔✔This document specifies security requirements for federal information and
information systems in 17 security-related areas that represent a broad-based, balanced information
security program. Specifies that a minimum baseline of security controls, as defined in NIST SP 800-53,
will be implemented. Specifies that the baselines are to be appropriately tailored.
Leveraged - correct answer ✔✔Which authorization approach (leveraged, single, and joint or site
specific) considers time elapsed since the authorization results were produced, the environment of
operation, the criticality/sensitivity of the information, and the risk tolerance of other organizations?
Authorizing Official (AO) - correct answer ✔✔When an authorization to operation (ATO) is issued, this
role authoritatively accepts residual risk on behalf of the organization.
Information Technology Systems - correct answer ✔✔The objective of system authorization is to ensure
the security of...
Will NEVER have a primary role in any RMF step tasks - correct answer ✔✔A) Information system
security officer (ISSO)
B) Information system security engineer (ISSE)
Authorizing Official (AO) - correct answer ✔✔Who does the Security Control Assessor (SCA) report
directly to?
Independence and Technical Confidence - correct answer ✔✔The two basic traits a Security Control
Assessor (SCA) must have
Successful information technology develops separate security perimeters covering individual critical
resources according to the system boundaries rather than one perimeter to cover all critical resources.
This works because... - correct answer ✔✔A) Systems are distance
B) Their limits can be defined in practical terms
, C) Security is comparatively easy to implement at system level
Authorizing Official (AO) - correct answer ✔✔The Information System Owner (ISO) is appointed by this
person
Chief Information Officer (CIO) - correct answer ✔✔The Common Control Provider (CCP) is appointed by
this person
Certification - correct answer ✔✔The process to assess effectiveness of security controls
NIST Special Publication 800-53, Revision 4 - correct answer ✔✔This publication introduces the new
family Program Management as well as eight additional security and privacy control families to the FIPS
200 17 security control families.
The three Risk Management core components - correct answer ✔✔A) Risk Assessment (understand
what can go wrong)
B) Risk Mitigation (identify how risk is managed)
C) Security Control (must be planned and budgeted)
Accreditation - correct answer ✔✔Management decision (based on the assessment) to permit an
information system to operate at its current security posture.
The documents required for the accreditation package are... - correct answer ✔✔A) Security plan
B) Security assessment report
C) Plan of action and milestones
CPIC - correct answer ✔✔Capital Planning and Investment Controls
Capital Planning and Investments Controls includes the following... - correct answer ✔✔A) How systems
are funded
B) Supplemental funding for new or improved security control implementation
